Fjord Token Staking

Fjord

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Inconsistent Tracking of totalStaked and userData[msg.sender].totalStaked

atoko

Summary

totalStaked from userData is not tracked during staking

Vulnerability Details

The discrepancy between totalStaked and userData[msg.sender].totalStaked can lead to inaccurate tracking of staked tokens. When tokens are staked, totalStaked is incremented based on newStaked, but userData[msg.sender].totalStaked is not updated in the stake functions. If the epoch rolls over, and unstake functions are called later, the total amount subtracted from totalStaked and also from userData[msg.sender].totalStaked

userData[msg.sender].totalStaked -= _amount;

This may cause issues because the value was never added during staking in the first place. This can result in incorrect reward calculations and inconsistencies in the contract’s balance.

/// @notice Stake FJORD tokens into the contract.

/// @dev This function allows users to stake a certain number of FJORD tokens.

/// @param _amount The amount of tokens user wants to stake.

function stake(uint256 _amount) external checkEpochRollover redeemPendingRewards {

//CHECK

if (_amount == 0) revert InvalidAmount();

//EFFECT

userData[msg.sender].unredeemedEpoch = currentEpoch;

DepositReceipt storage dr = deposits[msg.sender][currentEpoch];

if (dr.epoch == 0) {

dr.staked = _amount;

dr.epoch = currentEpoch;

_activeDeposits[msg.sender].add(currentEpoch);

} else {

dr.staked += _amount;

}

newStaked += _amount;

//INTERACT

fjordToken.safeTransferFrom(msg.sender, address(this), _amount);

points.onStaked(msg.sender, _amount);

emit Staked(msg.sender, currentEpoch, _amount);

}

Proof of Concept:

User stakes tokens with the stake function, which increases newStaked and dr.staked but does not update userData[msg.sender].totalStaked.
When the epoch rolls over, newStaked is added to totalStaked.
User calls one of the unstake functions based on the type of unstake to unstake tokens. The total staked amount subtracted from userData[msg.sender].totalStaked may not match the amount recorded in userData[msg.sender].totalStaked because that was never updated during staking.

This mismatch affects the calculation of rewards and the contract balance.

Impact

totalStaked from userData is never tracked

Tools Used

manual review

Recommendations

Update userData[msg.sender].totalStaked in the staking functions to ensure consistency between individual user data and the contract's total staked balance.

userData[msg.sender].totalStaked += _amount;

Updates

Lead Judging Commences

inallhonesty Lead Judge

about 1 year ago

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

662

30 USDC / LOC

High Medium

16,000 USDC

Low

2,500 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.